Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Threat Intelligence. Show all posts
VoidLink Framework
Advanced Persistent Threats Cloud Infrastructure Threats Cloud Security Container Security Cyber Threat Intelligence malware supply chain attacks VoidLink Framework

VoidLink Malware Poses Growing Risk to Enterprise Linux Cloud Deployments


 

A new cybersecurity threat has emerged beneath the surface of the modern digital infrastructure as organizations continue to increase their reliance on cloud computing. Researchers warn that a subtle but dangerous shift is occurring beneath the surface. 

According to Check Point Research, a highly sophisticated malware framework known as VoidLink, is being developed by a group of cyber criminals specifically aimed at infiltrating and persisting within cloud environments based on Linux. 

As much as the industry still concentrates on Windows-centric threats, VoidLink's appearance underscores a strategic shift by advanced threat actors towards Linux-based systems that are essential to the runtime of cloud platforms, containerized workloads, and critical enterprise services, even at a time when many of the industry's defensive focus is still on Windows-centric threats. 

Instead of representing a simple piece of malicious code, VoidLink is a complex ecosystem designed to deliver long-term, covert control over compromised servers by establishing long-term, covert controls over the servers themselves, effectively transforming cloud infrastructure into an attack vector all its own. 

There is a strong indication that the architecture and operational depth of this malware suggests it was designed by well-resourced, professional adversaries rather than opportunistic criminals, posing a serious challenge for defenders who may not know that they are being silently commandeered and used for malicious purposes.

Check Point Research has published a detailed analysis of VoidLink to conclude that it is not just a single piece of malicious code; rather, it is a cloud-native, fully developed framework that is made up of customized loaders, implants, rootkits, and a variety of modular plugins that allows operators to extend, modify, and repurpose its functionality according to their evolving operational requirements. 

Based on its original identification in December 2025, the framework was designed with a strong emphasis on dependability and adaptability within cloud and containerized environments, reflecting the deliberate emphasis on persistence and adaptability within the framework. 

There were many similarities between VoidLink and Cobalt Strike's Beacon Object Files model, as the VoidLink architecture is built around a bespoke Plugin API that draws conceptual parallels to its Plugin API. There are more than 30 modules available at the same time, which can be shifted rapidly without redeploying the core implant as needed. 

As the primary implant has been programmed in Zig, it can detect major cloud platforms - including Amazon Web Services, Google Cloud, Microsoft Azure, Alibaba, and Tencent - and adjust its behavior when executed within Docker containers or Kubernetes pods, dynamically adjusting itself accordingly. 

Furthermore, the malware is capable of harvesting credentials linked to cloud services as well as extensively used source code management platforms like Git, showing an operational focus on software development environments, although the malware does not appear to be aware of the environment. 

A researcher has identified a framework that is actively maintained as the work of threat actors linked to China, which emphasizes a broader strategic shift away from Windows-centric attacks toward Linux-based attacks which form the basis for cloud infrastructures and critical digital operations, and which can result in a range of potential consequences, ranging from the theft of data to the compromise of large-scale supply chains. 

As described by its developers internally as VoidLink, the framework is built as a cloud-first implant that uses Zig, the Zig programming language to develop, and it is designed to be deployed across modern, distributed environments. 

Depending on whether or not a particular application is being executed on Docker containers or Kubernetes clusters, the application dynamically adjusts its behavior to comply with that environment by identifying major cloud platforms and determining whether it is running within them. 

Furthermore, the malware has been designed to steal credentials that are tied to cloud-based services and popular source code management systems, such as Git, in addition to environmental awareness. With this capability, software development environments seem to be a potential target for intelligence collection, or to be a place where future supply chain operations could be conducted.

Further distinguishing VoidLink from conventional Linux malware is its technical breadth, which incorporates rootkit-like techniques, loadable kernel modules, and eBPF, as well as an in-memory plugin system allowing for the addition of new functions without requiring people to reinstall the core implant, all of which is supported by LD_PRELOAD. 

In addition to adapting evasion behavior based on the presence of security tooling, the stealth mechanism also prioritizes operational concealment in closely monitored environments, which in turn alters its evasion behavior accordingly. 

Additionally, the framework provides a number of command-and-control mechanisms, such as HTTP and HTTPS, ICMP, and DNS tunneling, and enables the establishment of peer-to-peer or mesh-like communication among compromised hosts through the use of a variety of command-and-control mechanisms. There is some evidence that the most components are nearing full maturity.

A functional command-and-control server is being developed and an integrated web-based management interface is being developed that facilitates centralized control of the agents, implants, and plugins by operators. To date, no real-world infection has been confirmed. 

The final purpose of VoidLink remains unclear as well, but based on its sophistication, modularity, and apparent commercial-grade polish, it appears to be designed for wider operational deployment, either as a tailored offensive tool created for a particular client or as a productized offensive framework that is intended for broader operational deployment. 

Further, Check Point Research has noted that VoidLink is accompanied by a fully featured, web-based command-and-control dashboard that allows operators to do a centralized monitoring and analysis of compromised systems, including post-exploitation activities, to provide them with the highest level of protection. 

Its interface, which has been localized for Chinese-language users, allows operations across familiar phases, including reconnaissance, credential harvesting, persistence, lateral movement, and evidence destruction, confirming that the framework is designed to be used to engage in sustained, methodical campaigns rather than opportunistic ones.

In spite of the fact that there were no confirmed cases of real-world infections by January 2026, researchers have stated that the framework has reached an advanced state of maturity—including an integrated C2 server, a polished dashboard for managing operations, and an extensive plugin ecosystem, which indicates that its deployment could be imminent.

According to the design philosophy behind the malware, the goal is to gain long-term access to cloud environments and keep a close eye on cloud users. This marks a significant step up in the sophistication of Linux-focused malware. It was argued by the researchers in their analysis that VoidLink's modular plug-ins extend their reach beyond cloud workloads to the developer and administrator workstations which interact directly with these environments.

A compromised system is effectively transformed into a staging ground that is capable of facilitating further intrusions or potential supply chain compromises if it is not properly protected. Their conclusion was that this emergence of such an advanced framework underscores a broader shift in attackers' interest in Linux-based cloud and container platforms, away from traditional Windows-based targets. 

This has prompted organizations to step up their security efforts across the full spectrum of Linux, cloud, and containerized infrastructures, as attacks become increasingly advanced. Despite the fact that VoidLink was discovered by chance in the early days of cloud adoption, it serves as a timely reminder that security assumptions must evolve as rapidly as the infrastructure itself. 

Since attackers are increasingly investing in frameworks built to blend into Linux and containerized environments, organizations are no longer able to protect critical assets by using perimeter-based controls and Windows-focused threat models. 

There is a growing trend among security teams to adopt a cloud-aware defense posture that emphasizes continuous monitoring, least-privilege access, and rigorous monitoring of the deployment of development and administrative endpoints that are used for bridging on-premise and cloud platforms in their development and administration processes. 

An efficient identity management process, hardened container and Kubernetes configurations, and increased visibility into east-west traffic within cloud environments can have a significant impact on the prevention of long-term, covert compromises within cloud deployments.

There is also vital importance in strengthening collaboration between the security, DevOps, and engineering teams within the platform to ensure that detection and response capabilities keep pace with the ever-changing and adaptive threat landscape. 

Modern enterprises have become dependent on digital infrastructure to support the operation of their businesses, and as frameworks like VoidLink are closer to real-world deployment, investing in Linux and cloud security at this stage is important not only for mitigating emerging risks, but also for strengthening the resilience of the infrastructure that supports them.
Read more »
Malwares
CVE CVE exploits CVE vulnerability CVEs Cyber Attacks Cyber Threat Intelligence Google GSMA GTIG Hacker attack Malware Attack Malwares

Hackers Exploit End-of-Life SonicWall Devices Using Overstep Malware and Possible Zero-Day

 

Cybersecurity experts from Google’s Threat Intelligence Group (GTIG) have uncovered a series of attacks targeting outdated SonicWall Secure Mobile Access (SMA) devices, which are widely used to manage secure remote access in enterprise environments. 

These appliances, although no longer supported with updates, remain in operation at many organizations, making them attractive to cybercriminals. The hacking group behind these intrusions has been named UNC6148 by Google. Despite being end-of-life, the devices still sit on the edge of sensitive networks, and their continued use has led to increased risk exposure. 

GTIG is urging all organizations that rely on these SMA appliances to examine them for signs of compromise. They recommend that firms collect complete disk images for forensic analysis, as the attackers are believed to be using rootkit-level tools to hide their tracks, potentially tampering with system logs. Assistance from SonicWall may be necessary for acquiring these disk images from physical devices. There is currently limited clarity around the technical specifics of these breaches. 

The attackers are leveraging leaked administrator credentials to gain access, though it remains unknown how those credentials were originally obtained. It’s also unclear what software vulnerabilities are being exploited to establish deeper control. One major obstacle to understanding the attacks is a custom backdoor malware called Overstep, which is capable of selectively deleting system logs to obscure its presence and activity. 

Security researchers believe the attackers might be using a zero-day vulnerability, or possibly exploiting known flaws like CVE-2021-20038 (a memory corruption bug enabling remote code execution), CVE-2024-38475 (a path traversal issue in Apache that exposes sensitive database files), or CVE-2021-20035 and CVE-2021-20039 (authenticated RCE vulnerabilities previously seen in the wild). There’s also mention of CVE-2025-32819, which could allow credential reset attacks through file deletion. 

GTIG, along with Mandiant and SonicWall’s internal response team, has not confirmed exactly how the attackers managed to deploy a reverse shell—something that should not be technically possible under normal device configurations. This shell provides a web-based interface that facilitates the installation of Overstep and potentially gives attackers full control over the compromised appliance. 

The motivations behind these breaches are still unclear. Since Overstep deletes key logs, detecting an infection is particularly difficult. However, Google has shared indicators of compromise to help organizations determine if they have been affected. Security teams are strongly advised to investigate the presence of these indicators and consider retiring unsupported hardware from critical infrastructure as part of a proactive defense strategy.
Read more »
Ransomwares
Advanced Social Engineering Cyber Attacks Cyber SecurityTrojan Attacks Cyber Threat Intelligence Industries Interlock Interlock ransomware ransomware attacks Ransomwares

Interlock RAT Evolves in New KongTuke Web-Inject Attacks Targeting U.S. Industries

 

A recently enhanced version of the Interlock remote access Trojan (RAT) is being deployed in an ongoing web-inject campaign linked to the ransomware group behind it. Known for its double-extortion tactics, Interlock has now shifted its technical approach with a more covert RAT variant written in PHP. According to a new report by The DFIR Report, this marks a significant advancement in the group’s capabilities and strategy.  

Interlock first emerged in late 2024, attacking high-profile targets such as Texas Tech University’s Health Sciences Centers. Earlier this year, cybersecurity firm Quorum Cyber detailed two versions of the group’s malware, named NodeSnake, focused on maintaining persistence and exfiltrating data. The newest version introduces additional stealth features, most notably a transition from JavaScript to PHP, allowing the malware to blend more easily with normal web traffic and avoid detection. 

This enhanced RAT is tied to a broader web-inject threat campaign dubbed “KongTuke,” where victims are tricked into running malicious scripts after visiting compromised websites. Visitors encounter what appears to be a legitimate CAPTCHA but are actually prompted to paste dangerous PowerShell commands into their systems. This action initiates the Interlock RAT, giving attackers access to the machine. 

Once activated, the malware gathers extensive data on the infected system. Using PowerShell, it collects system information, running processes, mounted drives, network connections, and checks its own privilege level. This enables attackers to evaluate the environment quickly and plan further intrusion tactics. It then connects back to command-and-control infrastructure, leveraging services like Cloudflare Tunneling for stealthy communication. Remote desktop protocol (RDP) is used for lateral movement and persistent access. 

Researchers say the targeting in this campaign appears opportunistic, not industry-specific. Victims across various sectors in the U.S. have been identified, with the attackers casting a wide net and focusing efforts where systems and data seem valuable or more vulnerable.  

Defensive recommendations from experts include improving phishing awareness, restricting the use of the Windows Run dialog box, enforcing least privilege access, and requiring multifactor authentication. Blocking unnecessary use of RDP is also essential. 

The growing sophistication of the Interlock RAT and its integration into mass web-inject campaigns reflects an evolving cyber threat landscape where stealth, automation, and social engineering play a central role.
Read more »
Malwares
Cyber Attacks Cyber Threat Intelligence DLL E-commerce Websites Compromised Malicious Software Malware Attack Malwares

LegionLoader Malware Resurfaces with Evasive Infection Tactics

 

Researchers at TEHTRIS Threat Intelligence have uncovered a new wave of LegionLoader, a malware downloader also known as Satacom, CurlyGate, and RobotDropper. This sophisticated threat has been rapidly gaining momentum, with over 2,000 samples identified in recent weeks. 

According to TEHTRIS, the ongoing campaign began on December 19, 2024, and has since spread globally, with Brazil emerging as the most affected country, accounting for around 10% of reported cases. LegionLoader primarily infects systems through drive-by downloads, where users unknowingly download malicious software from compromised websites. 

Cybercriminals behind this campaign frequently leverage illegal download platforms and unsecured web pages, which are quickly taken down after redirecting victims to Mega cloud storage links containing a single ZIP file. These ZIP archives house a 7-Zip password-protected file, making it difficult for security tools to scan the contents. 

To further deceive users, a separate image file displays the password required for extraction, enticing them to execute the malware. Once extracted, LegionLoader is deployed as an MSI (Microsoft Installer) file, requiring user interaction to execute. TEHTRIS researchers found that antivirus detection rates for these MSI files range between 3 and 9 out of 60, indicating the malware’s ability to evade traditional security measures. 

The MSI file also includes two key anti-sandbox mechanisms: a fake CAPTCHA prompt to prevent automated analysis and a virtual environment detection feature using Advanced Installer. These obstacles make it challenging for security researchers to analyze the malware in controlled environments. Upon execution, LegionLoader extracts multiple files into the system’s %APPDATA% directory, including clean DLLs, executables, and a password-protected archive containing the primary payload. 

The malware then uses UnRar.exe to extract a DLL file, which is sideloaded using obsffmpegmux.exe to execute the next stage of the attack. Notably, the obs.dll payload is crafted to evade detection by security tools. TEHTRIS analysis found that most of its exports are empty, while the few containing code appear intentionally misleading, likely to slow down forensic investigation. 

Further examination using BinDiff revealed that while different obs.dll samples were structurally identical, variations existed in their second-stage payloads. During dynamic analysis, researchers observed shellcode decryption, leading to the execution of another malicious component. This secondary stage communicates with hardcoded command-and-control (C2) servers, though all identified C2 domains were inactive at the time of analysis, preventing further insights into the malware’s final objective. 

If all infection stages are completed, LegionLoader attempts to execute a final payload using rundll32.exe. The malware downloads an additional file, places it in a randomly named directory under %TMP%, and launches it as svchost.exe. Given the use of rundll32.exe, researchers suspect the final payload is another malicious DLL, though its specific function remains unknown.

To protect against LegionLoader, security experts advise avoiding software downloads from unverified sources and implementing behavior-based detection strategies. These proactive measures can help mitigate the risks posed by evolving malware threats.
Read more »
IABs
ADT data breach Cyber Crime Cyber Threat Intelligence Hacking IABs

How Hackers Sell Access to Corporate Systems Using Stolen Credentials

 


In the cybercrime world, Initial Access Brokers (IABs) are essential for facilitating attacks. These specific hackers break into company systems, steal login credentials, and then sell access to other criminals who use it to launch their own attacks. They essentially act as locksmiths for hackers, making it easy for those willing to pay to get into systems.

What Exactly Do IABs Do?

IABs function as a business where they sell access to corporate systems stolen from their organizations on dark markets, either private forums or Telegram channels. The credentials offered include the most basic login information and even the highest administrator accounts. They even have guarantees by giving a refund if the stolen credentials fail to work.

This system benefits both inexperienced attackers and advanced hacking groups. For less skilled criminals, IABs provide access to high-value targets they could never reach independently. For seasoned ransomware operators, purchasing pre-stolen access saves time and allows them to focus on deploying malware or stealing sensitive data.

Such credentials as usernames and passwords are a hacker's key to entering a system directly, bypassing all the security barriers. Such an attack occurred during major breaches such as in the 

  • Geico Case: Cyber thieves in 2024 accessed Geico's online tools with stolen credentials and compromised sensitive information for 116,000 customers and paid the company millions in fines.
  • ADT Breach: Thieves had used the credentials of one of ADT's partners to breach ADT's internal systems twice, releasing customer records and proving that even trusted relationships can be compromised. In a report released by IBM in 2024, compromised credentials accounted for nearly 20% of all data breaches and were frequently unobserved for months, leaving attackers sufficient time to steal their information.


How to Protect Against IABs  

Organizations must adopt proactive measures to counteract these threats:  

1. Threat Intelligence: Tools can monitor underground markets for stolen credentials. If a company’s data appears on these platforms, immediate action—like forcing password changes can help minimize damage.

2. Complex Passwords: It is recommendable that companies enforce rules forcing employees to use complex, unique passwords and to update them regularly. Platforms like Specops Password Policy allow companies to check their credentials against known breached databases to prevent using the same breached passwords.

Although IABs have made cybercrime more efficient, organizations can protect themselves by understanding their tactics and strengthening their defenses. Regular monitoring, strong password practices, and quick responses to breaches are key to staying ahead of these threats. By closing the gaps hackers exploit, companies can make it harder for cybercriminals to succeed.




Read more »
network security insights
Cato SASE Threat Report Cyber Security Cyber Threat Intelligence enterprise cybersecurity holistic analysis network security insights

SASE Threat Report:Evolving Threat Actors and the Need for Comprehensive Cyber Threat Intelligence

 


Threat actors are continuously evolving, yet Cyber Threat Intelligence (CTI) remains fragmented across isolated point solutions. Organizations need a holistic analysis that spans external data, inbound and outbound threats, and network activity to accurately assess their cybersecurity posture.

Cato's Cyber Threat Research Lab (Cato CTRL) has published its inaugural SASE threat report, providing in-depth insights into enterprise and network threats. This report leverages Cato's extensive and detailed network analysis capabilities.

The SASE Threat Report examines threats from strategic, tactical, and operational perspectives using the MITRE ATT&CK framework. It covers malicious and suspicious activities, as well as the applications, protocols, and tools active on networks.

The report is based on:
- Detailed data from every traffic flow across the Cato SASE Cloud Platform
- Hundreds of security feeds
- Analysis through proprietary ML/AI algorithms
- Human intelligence

Cato's data encompasses:
- Over 2200 customers
- 1.26 trillion network flows
- 21.45 billion blocked attacks

These comprehensive resources give Cato unparalleled insights into enterprise security activities.

Understanding Cato CTRL

Cato CTRL (Cyber Threats Research Lab) combines top-tier human intelligence with comprehensive network and security insights, enabled by Cato's AI-enhanced global SASE platform. Experts, including former military intelligence analysts, researchers, data scientists, academics, and security professionals, provide a unique view of the latest cyber threats and actors.

Cato CTRL offers tactical data for SOC teams, operational threat intelligence for managers, and strategic briefings for executives and boards. This includes monitoring and reporting on security industry trends, which informed the SASE Threat Report.

The report provides valuable insights for security and IT professionals, highlighting the following key findings:

1. Widespread AI Adoption in Enterprises: Enterprises are increasingly adopting AI tools, with Microsoft Copilot and OpenAI ChatGPT being the most common. Emol, an application for recording emotions and interacting with AI robots, is also gaining traction.

2. Hacker Forum Insights – Monitoring hacker forums reveals that:
   - LLMs are enhancing tools like SQLMap for more efficient vulnerability exploitation.
   - Services for generating fake credentials and creating deep fakes are available.
   - A malicious ChatGPT startup is recruiting developers.

3. Spoofing of Well-Known Brands: Brands such as Booking, Amazon, and eBay are frequently spoofed for fraudulent activities, posing risks to consumers.

4. Lateral Movement in Enterprise Networks: Attackers can easily move laterally within enterprise networks due to unsecured protocols:
   - 62% of web traffic is HTTP
   - 54% of traffic is Telnet
   - 46% of traffic is SMB v1 or v2

5. Prevalence of Unpatched Systems Over Zero-Day Exploits: Unpatched systems and recent vulnerabilities, such as Log4J (CVE-2021-44228), are more frequently exploited than zero-day vulnerabilities.

6. Industry-Specific Security Exploitations: Different industries face distinct threats:
   - Entertainment, Telecommunications, and Mining & Metals sectors are targeted with T1499 (Endpoint Denial of Service).
   - Services and Hospitality sectors face T1212 (Exploitation for Credential Access).
   Practices also vary, with 50% of media and entertainment organizations not using information security tools.

7. Importance of Contextual Understanding: Seemingly benign actions can be malicious when viewed in context. AI/ML algorithms, combined with network pattern analysis, are essential for detecting suspicious activity.

8. Low Adoption of DNSSE: Despite its importance, DNSSEC adoption is only at 1%. The Cato CTRL team is investigating the reasons behind this low adoption rate.

The full report can be viewed here .
Read more »
Technology
Artifcial Intelligence Biomedial Informatics ChatGPT Cyber Threat Intelligence CyberCrime Doctors OpenAI Technology

Next-Level AI: Unbelievable Precision in Replicating Doctors' Notes Leaves Experts in Awe

 


In an in-depth study, scientists found that a new artificial intelligence (AI) computer program can generate doctors' notes with such precision that two physicians could not tell the difference. This indicates AI may soon provide healthcare workers with groundbreaking efficiencies when it comes to providing their work notes. Across the globe, artificial intelligence has emerged as one of the most popular topics with tools like the DALL E 2, ChatGPT, as well as other solutions that are assisting users in various ways. 

A new study has found that a new automated tool for creating doctor's notes can be so reliable that two doctors were unable to distinguish between the two versions, thus opening the door for Al to provide breakthrough efficiencies to healthcare personnel. 

An evaluation of the proof-of-concept study conducted by the authors involved doctors examining patient notes that were authored by real medical professionals as well as by the new Al system. There was a 49% accuracy rate for determining the author of the article only 49% of the time. There have been 19 research studies conducted by a group of University of Florida and NVIDIA researchers, who trained supercomputers to create medical records using a new model known as GatorTronGPT, which works similarly to ChatGPT. 

There are more than 430,000 downloads of the free versions of GatorTron models from Hugging Face, an open-source AI website that provides free AI models to the public. Based on Yonghui Wu's post from the Department of Health Outcomes and Biomedical Informatics at the University of Florida, GatorTron models are the only models on the site that can be used for clinical research, said lead author. Among more than 430,000 people who have downloaded the free version of GatorTron models from the Hugging Face website, there has been an increase of more than 20,000 since it went live. 

There is no doubt that these GatorTron models are the only ones on the site that would be suitable for clinical research, according to lead author Yonghui Wu of the University of Florida's Department of health outcomes and Biomedical Informatics. According to the study, published in the journal npj Digital Medicine, a comprehensive language model was developed to enable computers to mimic natural human language using the database. 

Adapting these models to handle medical records offers additional challenges, such as safeguarding the privacy of patients as well as the requirement for highly technical precision, as compared to how they handle conventional writing or conversation. Using a search engine such as Google or a platform such as Wikipedia these days makes it impossible for users to access medical records within the digital domain. 

Researchers at the University of Pittsburgh utilized a cohort of two million patients' medical records, which contained 82 billion relevant medical terms that provided the dataset necessary to overcome these challenges. They also trained the GatorTronGPT model using an additional collection of 195 billion words to make use of GPT-3 architecture, a variant of neural network architecture, to analyze medical data by using GPT-3 architecture, based on a dataset combined with 195 billion words. 

Consequently, GatorTronGPT was able to produce clinical text that resembled doctors' notes as part of its capability to create clinical text. A medical GPT has many potential uses, but among those is the option of replacing the tedious process of documenting with a process of capturing and transcribing notes by AI instead. 

As a result of billions upon billions of words of clinical vocabulary and language usage accumulated over weeks, it is not surprising that AI has reached the point where it is similar to human writing. The GatorTronGPT model is the result of recent technological advances in AI, which have demonstrated that they have considerable potential for producing doctors' notes that appear almost indistinguishable from those created by professionals who have a high level of training. 

There is substantial potential for enhancing the efficiency of healthcare documentation due to the development of this technology, which was described in a study published in the NPJ Digital Medicine journal. Developed through a successful collaboration between the prestigious University of Florida and NVIDIA, this groundbreaking automated tool signifies a pivotal step towards revolutionizing the way medical note-taking is conducted. 

The widespread adoption and utilization of the highly advanced GatorTron models, especially in the realm of clinical research, further emphasizes the practicality and strong demand for such remarkable innovations within the medical field. 

Despite the existence of certain challenges, including privacy considerations and the requirement for utmost technical precision, this remarkable research showcases the remarkable adaptability of advanced language models when it comes to effectively managing and organizing complex medical records. This significant achievement offers a promising glimpse into a future where AI seamlessly integrates into various healthcare systems, thereby providing a highly efficient and remarkably accurate alternative to the traditional and often labour-intensive documentation processes.

Consequently, this remarkable development represents a significant milestone in the realm of medical technology, effectively paving the way for improved workflows, enhanced efficiency, and elevated standards of patient care, which are all paramount in the ever-evolving healthcare landscape.
Read more »
User Security
Cyber Security Cyber Threat Intelligence Online crimes Threat Landscape TTPs Underground Criminals User Security

Cybersecurity Must Adopt a New Approach to Combat Underground Cybercrime Activities

 

Threat researchers at Cybersixgill published their annual report, The State of the Cybercrime Underground, earlier this year. The study is based on an analysis of data that Cybersixgill gathered from the deep, dark, and clear web in 2022. The study looks at how threat actors' tactics, techniques, and procedures (TTPs) have evolved over time in the digital age and how organisations can adjust to lower risk and maintain operational resilience. 

This article provides an overview of some of The report's key findings are briefly summarised in this article, covering trends in credit card fraud, cryptocurrency observations, improvements in artificial intelligence and how they are lowering the entrance hurdles for cybercrime, and the emergence of cybercriminal "as-a-service" operations. The necessity for a new security strategy that combines attack surface management (ASM) and cyber threat intelligence (CTI) to counter threat actors' constantly evolving tactics is covered in more detail below. 

Decline in credit card scams

For many years, fraudsters operating underground have employed credit card fraud as a regular and recurrent danger. But a number of recent changes are halting the trend and sharply lowering the number of instances of credit card theft. In recent months, the number of compromised credit cards being sold on illegal underground markets has significantly decreased. For instance, in 2019 dark web shops offered for sale almost 140 million compromised cards. By 2020, the number had dropped to roughly 102 million, and by 2021, it had fallen again by another 60% to just under 42 million cards. The amount finally fell to just 9 million cards in 2022.

Clever use of cryptocurrency

The decentralised nature of cryptocurrencies gives users privacy and anonymity. Therefore, it should come as no surprise that cybercriminals prefer to pay using cryptocurrency to buy illegal goods and services, launder money obtained from cyberattacks, and get paid for ransomware. In addition to becoming more widely used for legitimate purposes, cryptocurrencies have also attracted the attention of threat actors, opening up new potential for "crypto-jacking," hacking of digital wallets, crypto-mining, and stealing of digital assets from cryptocurrency exchanges. 

Even in the wake of the 2022 crypto meltdown, attackers continue to place a high value on cryptocurrency. In 2022, we observed a 79% increase in crypto account takeover attacks, as stated in our study. (In the end, fraudsters utilise crypto to shift money rather than to generate revenue. Prices are indicated in dollars even if subterranean transactions are conducted in cryptocurrencies.) However, if investors continue to flee the market because of its turbulence, threat actors may eventually give up using cryptocurrencies as fewer users make it simpler for law enforcement to detect illegal transactions and for lawmakers to enact stronger regulation. 

Use of artificial intelligence

Less than a year after it first appeared on the scene, cybercriminals are still very excited about ChatGPT and other recently revealed AI tools because of their potential to be a force multiplier for online crime. Threat actors can automate the creation of malware code and even replicate human language for social engineering with the correct prompts and direction, streamlining the entire attack chain. ChatGPT enables less experienced and less skilled cybercriminals to quickly and relatively easily carry out destructive acts. As highlighted in the study, AI technology is decreasing the entrance barrier for cybercrime and cutting the time required for threat actors to build harmful code and carry out other "pre-ransomware" preparations. 

Mitigation tips

Within an organisation's vast attack surface, every connected system offers possible attack entry points for cybercriminals. Today, it is nearly impossible to safeguard the growing organisational attack surface using only cyber threat intelligence to assess vulnerability. The modern attack surface is becoming more and more external, encompassing a wide ecosystem of unidentified assets from cloud-based resources, connected IPs, SaaS apps, and third party supply chains in addition to the known network perimeter.

As a result, the majority of organisations struggle with the copious quantities of cyber threat intelligence data and experience significant blindspots into their whole attacker-exposed IT system. Security teams require complete visibility into their individual attack surface and real-time knowledge into their threat exposure in order to effectively fight against cyber threats. 

The Attack Surface Management (ASM) solution from Cybersixgill, which is embedded with native, market-leading Cyber Threat Intelligence (CTI), eliminates visibility blindspots by automatically locating the invisible. With this unified solution, security professionals can continuously find, map, scope, and classify unknown networked assets that can put your business at danger, while also keeping track of your whole asset inventory in real-time across the deep, dark, and clear web. 

To focus on each organization's unique attack surface and provide the earliest possible alerts of threats targeting their company, the integration of ASM refines industry-leading threat intelligence. Security teams are reliably equipped to focus their efforts and resources where they are most needed thanks to complete insight of organisational threat exposure. This significantly reduces Mean Time to Remediate (MTTR) and speeds up remediation time.
Read more »
Subscribe to: Comments (Atom)